feat(multi-user): enforce owner-scoped visibility and session guards

Author: acmore

docs/command-reference.md

@@ -4,6 +4,7 @@
 
 - `-c, --config`: config file path
 - `--session`: session name override
+- `--owner`: owner identity override (default: `OKDEV_OWNER` or local `USER`)
 - `-n, --namespace`: namespace override
 - `--context`: kube context override
 - `--output text|json`: output format for list/status
@@ -17,11 +18,11 @@
 - `okdev up [--no-attach] [--wait-timeout 3m] [--dry-run]`
   - attach is enabled by default; use `--no-attach` to skip shell + background integrations
 - `okdev down [--delete-pvc] [--dry-run]`
-- `okdev status [--all]`
-- `okdev list [--all-namespaces]`
+- `okdev status [--all] [--all-users]`
+- `okdev list [--all-namespaces] [--all-users]`
 - `okdev use <session>`
 - `okdev connect [--shell /bin/bash] [--cmd "..."] [--no-tty]`
 - `okdev ssh [--setup-key] [--user root] [--cmd "..."]`
 - `okdev ports`
 - `okdev sync [--mode up|down|bi] [--engine native|syncthing] [--watch] [--background] [--dry-run] [--force]`
-- `okdev prune [--ttl-hours 72] [--all-namespaces] [--include-pvc] [--dry-run]`
+- `okdev prune [--ttl-hours 72] [--all-namespaces] [--all-users] [--include-pvc] [--dry-run]`

docs/okdev-design.md

@@ -250,9 +250,11 @@ Ownership model:
 
 - `okdev status`
   - show pod state, sync health, forwarded ports, idle timer
+  - defaults to current owner visibility; `--all-users` required to include other owners
 
 - `okdev list`
-  - list all sessions in current namespace/context (or across namespaces with flag)
+  - list sessions in current namespace/context (or across namespaces with flag)
+  - defaults to current owner visibility; `--all-users` required to include other owners
   - includes repo, branch, owner, age, status, and lock mode
 
 - `okdev use <session>`
@@ -265,7 +267,7 @@ Ownership model:
   - supports `--dry-run` to preview deletions
 
 - `okdev prune [--dry-run]`
-  - cleanup expired/idle sessions by TTL rules
+  - cleanup expired/idle sessions by TTL rules (owner-scoped by default)
   - enforces idle timeout from heartbeat (`okdev.io/last-attach`)
 
 ---
@@ -280,10 +282,15 @@ okdev approach:
 - Any machine with kube access and repo can run `okdev up --attach`.
 
 Optional lock modes:
-- `none` (default shared)
+- `none`
 - `advisory` (warn if another active client)
 - `exclusive` (single active client lease with timeout)
 
+Ownership model:
+- Owner identity resolution: `--owner` flag -> `OKDEV_OWNER` -> local `USER`.
+- Sessions are labeled with `okdev.io/owner=<owner>`.
+- Mutating commands refuse non-owner sessions unless session is explicitly marked shareable.
+
 Lease behavior:
 - Lease duration is short-lived (default 2 minutes) and renewed in background for long-running commands (`connect`, `ssh`, `ports`, `sync --watch`, `sync --engine syncthing`, and `up --attach`).
 - `okdev down` deletes the Lease object so exclusive sessions can be reacquired immediately.

docs/quickstart.md

@@ -72,6 +72,8 @@ Preview-only mode (no cluster changes):
 ./bin/okdev list
 ./bin/okdev use serving-main-alice
 ./bin/okdev status --all
+# cross-owner visibility only when explicitly requested
+./bin/okdev list --all-users
 ```
 
 ## Stop and cleanup

internal/cli/common.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 
@@ -21,6 +22,8 @@ import (
 const sessionLeaseDuration = 2 * time.Minute
 const sessionHeartbeatInterval = 5 * time.Minute
 
+var invalidOwnerChars = regexp.MustCompile(`[^a-z0-9._-]`)
+
 func loadConfigAndNamespace(opts *Options) (*config.DevEnvironment, string, error) {
 	cfg, path, err := config.Load(opts.ConfigPath)
 	if err != nil {
@@ -48,11 +51,8 @@ func resolveSessionName(opts *Options, cfg *config.DevEnvironment) (string, erro
 	return session.Resolve(opts.Session, cfg.Spec.Session.DefaultNameTemplate)
 }
 
-func labelsForSession(cfg *config.DevEnvironment, sessionName string) map[string]string {
-	owner := os.Getenv("USER")
-	if owner == "" {
-		owner = "dev"
-	}
+func labelsForSession(opts *Options, cfg *config.DevEnvironment, sessionName string) map[string]string {
+	owner := currentOwner(opts)
 	repo := "unknown"
 	if root, err := session.RepoRoot(); err == nil && root != "" {
 		repo = filepath.Base(root)
@@ -63,12 +63,24 @@ func labelsForSession(cfg *config.DevEnvironment, sessionName string) map[string
 		"okdev.io/session": sessionName,
 		"okdev.io/owner":   owner,
 		"okdev.io/repo":    repo,
+		"okdev.io/shareable": func() string {
+			if cfg.Spec.Session.Shareable {
+				return "true"
+			}
+			return "false"
+		}(),
 	}
 }
 
 func annotationsForSession(cfg *config.DevEnvironment) map[string]string {
 	out := map[string]string{
 		"okdev.io/last-attach": time.Now().UTC().Format(time.RFC3339),
+		"okdev.io/shareable": func() string {
+			if cfg.Spec.Session.Shareable {
+				return "true"
+			}
+			return "false"
+		}(),
 	}
 	if cfg.Spec.Session.TTLHours > 0 {
 		out["okdev.io/ttl-hours"] = fmt.Sprintf("%d", cfg.Spec.Session.TTLHours)
@@ -252,17 +264,69 @@ func startSessionMaintenanceWithClient(k *kube.Client, cfg *config.DevEnvironmen
 }
 
 func sessionHolderIdentity() string {
-	user := os.Getenv("USER")
-	if user == "" {
-		user = "dev"
-	}
+	user := currentOwner(nil)
 	host, err := os.Hostname()
 	if err != nil || host == "" {
 		host = "unknown-host"
 	}
 	return user + "@" + host
 }
 
+func currentOwner(opts *Options) string {
+	if opts != nil {
+		if v := normalizeOwner(opts.Owner); v != "" {
+			return v
+		}
+	}
+	if v := normalizeOwner(os.Getenv("OKDEV_OWNER")); v != "" {
+		return v
+	}
+	if v := normalizeOwner(os.Getenv("USER")); v != "" {
+		return v
+	}
+	return "dev"
+}
+
+func normalizeOwner(v string) string {
+	s := strings.ToLower(strings.TrimSpace(v))
+	s = strings.ReplaceAll(s, " ", "-")
+	s = invalidOwnerChars.ReplaceAllString(s, "-")
+	s = strings.Trim(s, "-")
+	return s
+}
+
+func ownerLabelSelector(opts *Options) string {
+	return "okdev.io/owner=" + currentOwner(opts)
+}
+
+func isSessionShareable(p kube.PodSummary) bool {
+	if strings.EqualFold(strings.TrimSpace(p.Annotations["okdev.io/shareable"]), "true") {
+		return true
+	}
+	return strings.EqualFold(strings.TrimSpace(p.Labels["okdev.io/shareable"]), "true")
+}
+
+func ensureSessionOwnership(opts *Options, k *kube.Client, namespace, sessionName string, allowShareable bool) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+	pods, err := k.ListPods(ctx, namespace, false, "okdev.io/managed=true,okdev.io/session="+sessionName)
+	if err != nil {
+		return err
+	}
+	if len(pods) == 0 {
+		return nil
+	}
+	owner := currentOwner(opts)
+	otherOwner := strings.TrimSpace(pods[0].Labels["okdev.io/owner"])
+	if otherOwner == "" || otherOwner == owner {
+		return nil
+	}
+	if allowShareable && isSessionShareable(pods[0]) {
+		return nil
+	}
+	return fmt.Errorf("session %q is owned by %q (current owner: %q); set --owner %s or mark session as shareable", sessionName, otherOwner, owner, otherOwner)
+}
+
 func ensureCommand(name string) error {
 	if _, err := exec.LookPath(name); err != nil {
 		return fmt.Errorf("required command %q not found in PATH", name)

internal/cli/common_test.go

@@ -11,13 +11,16 @@ import (
 func TestNamesAndLabels(t *testing.T) {
 	t.Setenv("USER", "alice")
 	cfg := &config.DevEnvironment{Metadata: config.Metadata{Name: "proj"}}
-	labels := labelsForSession(cfg, "sess1")
+	labels := labelsForSession(&Options{}, cfg, "sess1")
 	if labels["okdev.io/session"] != "sess1" {
 		t.Fatalf("session label mismatch: %+v", labels)
 	}
 	if labels["okdev.io/owner"] != "alice" {
 		t.Fatalf("owner label mismatch: %+v", labels)
 	}
+	if labels["okdev.io/shareable"] != "false" {
+		t.Fatalf("shareable label mismatch: %+v", labels)
+	}
 	if podName("sess1") != "okdev-sess1" {
 		t.Fatalf("unexpected pod name %q", podName("sess1"))
 	}

internal/cli/connect.go

@@ -23,6 +23,10 @@ func newConnectCmd(opts *Options) *cobra.Command {
 			if err != nil {
 				return err
 			}
+			k := newKubeClient(opts)
+			if err := ensureSessionOwnership(opts, k, ns, sn, true); err != nil {
+				return err
+			}
 			stopRenew, err := acquireSessionLock(opts, cfg, ns, sn, cmd.OutOrStdout())
 			if err != nil {
 				return err
@@ -44,7 +48,7 @@ func newConnectCmd(opts *Options) *cobra.Command {
 			if len(execCmd) == 1 && strings.TrimSpace(execCmd[0]) == "" {
 				execCmd = []string{"sh", "-lc", "command -v bash >/dev/null 2>&1 && exec bash || exec sh"}
 			}
-			return runConnect(opts, ns, sn, execCmd, !noTTY)
+			return runConnectWithClient(k, ns, sn, execCmd, !noTTY)
 		},
 	}
 	cmd.Flags().StringVar(&shell, "shell", "", "Shell to start (default auto-detects bash/sh)")

internal/cli/down.go

@@ -23,6 +23,9 @@ func newDownCmd(opts *Options) *cobra.Command {
 				return err
 			}
 			k := newKubeClient(opts)
+			if err := ensureSessionOwnership(opts, k, ns, sn, false); err != nil {
+				return err
+			}
 			ctx, cancel := defaultContext()
 			defer cancel()
 			if dryRun {

internal/cli/list.go

@@ -11,6 +11,7 @@ import (
 
 func newListCmd(opts *Options) *cobra.Command {
 	var allNamespaces bool
+	var allUsers bool
 
 	cmd := &cobra.Command{
 		Use:   "list",
@@ -32,7 +33,11 @@ func newListCmd(opts *Options) *cobra.Command {
 			}
 			ctx, cancel := defaultContext()
 			defer cancel()
-			pods, err := newKubeClient(opts).ListPods(ctx, ns, allNamespaces, "okdev.io/managed=true")
+			label := "okdev.io/managed=true"
+			if !allUsers {
+				label = label + "," + ownerLabelSelector(opts)
+			}
+			pods, err := newKubeClient(opts).ListPods(ctx, ns, allNamespaces, label)
 			if err != nil {
 				return err
 			}
@@ -43,6 +48,7 @@ func newListCmd(opts *Options) *cobra.Command {
 				type listRow struct {
 					Namespace string `json:"namespace"`
 					Session   string `json:"session"`
+					Owner     string `json:"owner"`
 					Phase     string `json:"phase"`
 					Age       string `json:"age"`
 					Active    bool   `json:"active"`
@@ -53,6 +59,7 @@ func newListCmd(opts *Options) *cobra.Command {
 					rows = append(rows, listRow{
 						Namespace: p.Namespace,
 						Session:   sn,
+						Owner:     p.Labels["okdev.io/owner"],
 						Phase:     p.Phase,
 						Age:       age(p.CreatedAt),
 						Active:    sn != "" && sn == activeSession,
@@ -69,15 +76,17 @@ func newListCmd(opts *Options) *cobra.Command {
 				rows = append(rows, []string{
 					p.Namespace,
 					sn,
+					p.Labels["okdev.io/owner"],
 					p.Phase,
 					age(p.CreatedAt),
 				})
 			}
-			output.PrintTable(cmd.OutOrStdout(), []string{"NAMESPACE", "SESSION", "PHASE", "AGE"}, rows)
+			output.PrintTable(cmd.OutOrStdout(), []string{"NAMESPACE", "SESSION", "OWNER", "PHASE", "AGE"}, rows)
 			return nil
 		},
 	}
 
 	cmd.Flags().BoolVar(&allNamespaces, "all-namespaces", false, "List sessions across all namespaces")
+	cmd.Flags().BoolVar(&allUsers, "all-users", false, "List sessions for all owners")
 	return cmd
 }

internal/cli/ports.go

@@ -24,6 +24,10 @@ func newPortsCmd(opts *Options) *cobra.Command {
 			if err != nil {
 				return err
 			}
+			k := newKubeClient(opts)
+			if err := ensureSessionOwnership(opts, k, ns, sn, true); err != nil {
+				return err
+			}
 			stopRenew, err := acquireSessionLock(opts, cfg, ns, sn, cmd.OutOrStdout())
 			if err != nil {
 				return err
@@ -49,7 +53,6 @@ func newPortsCmd(opts *Options) *cobra.Command {
 			ctx, cancel := interactiveContext()
 			defer cancel()
 			fmt.Fprintf(cmd.OutOrStdout(), "Forwarding %v from session %s\n", forwards, sn)
-			k := newKubeClient(opts)
 			slog.Debug("ports start", "namespace", ns, "session", sn, "forwards", forwards)
 			return portsrunner.ForwardWithRetry(ctx, k, ns, podName(sn), forwards, os.Stdout, cmd.ErrOrStderr(), 30*time.Second)
 		},

internal/cli/prune.go

@@ -10,6 +10,7 @@ import (
 
 func newPruneCmd(opts *Options) *cobra.Command {
 	var allNamespaces bool
+	var allUsers bool
 	var ttlHours int
 	var includePVC bool
 	var dryRun bool
@@ -32,7 +33,11 @@ func newPruneCmd(opts *Options) *cobra.Command {
 			ctx, cancel := defaultContext()
 			defer cancel()
 			k := newKubeClient(opts)
-			pods, err := k.ListPods(ctx, ns, allNamespaces, "okdev.io/managed=true")
+			label := "okdev.io/managed=true"
+			if !allUsers {
+				label = label + "," + ownerLabelSelector(opts)
+			}
+			pods, err := k.ListPods(ctx, ns, allNamespaces, label)
 			if err != nil {
 				return err
 			}
@@ -102,6 +107,7 @@ func newPruneCmd(opts *Options) *cobra.Command {
 	}
 
 	cmd.Flags().BoolVar(&allNamespaces, "all-namespaces", false, "Prune sessions across all namespaces")
+	cmd.Flags().BoolVar(&allUsers, "all-users", false, "Prune sessions for all owners")
 	cmd.Flags().IntVar(&ttlHours, "ttl-hours", 0, "TTL in hours override")
 	cmd.Flags().BoolVar(&includePVC, "include-pvc", false, "Delete default workspace PVCs for pruned sessions")
 	cmd.Flags().BoolVar(&dryRun, "dry-run", false, "Preview prune actions without deleting resources")